ARM hardware debugging

Introduction

This project was originally aimed at debugging Stellaris Launchpad board (ARM Cortex M4F), but can be applied to ARM-related and OpenOCD-supported devices as well. There is also some information on using external hardware JTAG debuggers.

Building

Add the usual “–prefix” before “make” and “make install”, just keep it somewhere in $PATH. You may add multiple boards with –enable-XXXX, like J-Link or Buspirate support. Starting with version 0.8.0 OpenOCD seems to enable all supported adapters by default, so there's no need to specify them.

Udev rules for debugger devices

If you haven't done so yet, create a rule file in /etc/udev/rules.d/, otherwise openocd won't work for non-root users.

Example of /etc/udev/rules.d/51-arm-development.rules, substitute your_username for the username openocd should run under:

Connecting OpenOCD to Qt Creator

In one terminal, connect to on-chip-debugger (modify the path for configuration file depending on where you installed OpenOCD):

openocd --file ~/sat/share/openocd/scripts/board/ek-lm4f120xl.cfg

If you're using external JTAG, you may have to specify it as interface for openocd, following example shows usage for ST-Link/v2 JTAG connected to STM32F4 microcontroller:

openocd -f interface/stlink-v2.cfg -f target/stm32f4x_stlink.cfg

Now, from running Qt Creator, select from main menu Debug-Start Debugging-Attach To Remote Debug Server. Make sure to fill out Debugger to arm-none-eabi-gdb pointing to your toolchain's GDB debugger. Local executable should point at compiled ELF executable. Host:port combo will default to localhost:3333.

Select Window-Views-Debugger Log.

Write three commads to the debugger log (this could be likely automated using the startup script option):

monitor reset halt
load
monitor reset init

The monitor reset halt will halt execution, the load command will load your ELF binary, monitor reset init will restore program to beginning. Resume execution (F5 key by default) to run the program. You can e.g. set breakpoints now or pause execution:

Qt Creator 3 requires GDB with Python scripting support

If you get error message from Qt Creator that GDB does not support Python scripting, you'll need to recompile GDB with Python support. Download GDB, configure it with:

./configure --target=arm-none-eabi --with-python

Qt Creator 3 has also a bit different dialogs, you'll need to point Qt Creator to the ARM GCC and GDB in Tools→Options→Build&Run by creating a new “kit” where you specify path to arm-none-eabi-gcc compiler and arm-none-eabi-gdb debugger.

JTAG vs SWD interface for debugging with external HW debugger

SWD (Serial Wire Debug) is a newer HW debug interface, using only 2 pins (SWDIO and SWCLK) instead of the 5-pin JTAG. SWD should be compatible with all ARM processors. The SWDIO and SWCLK pins are overlaid on the TMS and TCK pins of original JTAG header.

From OpenOCD's point of view, the physical connection doesn't matter.

Breakpoints and stepping

Breakpoints should work as usual, just don't forget “-g” flag and use no optimization “-O0” with gcc CFLAGS (last -ON flag “wins”).

Caveats - SIGTRAP, long "step over" delay

If you are getting “SIGTRAP” shown from Qt Creator, delete old breakpoints and restart the program anew - reset or physically disconnect Stellaris Launchpad.

If “step over” is taking way too long (tens of seconds or minutes), it may mean that you've tried to step over a cycle or an expanded macro. Temporary breakpoint is much faster. Nevertheless, you may watch console output of openocd to see that the program is actually running, showing the PC register and waiting the breakpoint to hit.

Example showing Imprecise bus fault

How to trigger an IMPRE fault (imprecise bus error) we'll show as an example. Look at blinky.c from StellarisWare, there is a “seemingly unnecessary line” with assignment to the ulLoop variable in the main() method:

//
// Enable the GPIO port that is used for the on-board LED.
//
SYSCTL_RCGC2_R = SYSCTL_RCGC2_GPIOF;
//
// Do a dummy read to insert a few cycles after enabling the peripheral.
//
ulLoop = SYSCTL_RCGC2_R; // <--- !!! if commented out, may cause imprecise bus error with gcc's -O2 optimization !!!
//
// Enable the GPIO pin for the LED (PF3). Set the direction as output, and
// enable the GPIO pin for digital function.
//
GPIO_PORTF_DIR_R = 0x08;
GPIO_PORTF_DEN_R = 0x08;

Try commenting out the line with assignment to ulLoop, compile with -O2 -g (e.g. add CFLAGSgcc=-O2 -g) to Makefile. If you used the same toolchain (linked above as “recommended toolchain”), nothing will blink. When you attach using OpenOCD, you'll see that you've ended up in FaultISR.

Getting code completion working for StellarisWare, DriverLib, UsbLib

Easiest way is to have StellarisWare open as project. From File-New File or Project, select Import existing project, then select StellarisWare directory. In the second step where the dialog asks you to check subdirectories to import, it's enough to select just driverlib', inc, usblib and utils.

The other option would be adding path to the relevant include files (see Project tab). You might have to explicitly define some of the make macros like -DTARGET_IS_BLIZZARD_RA1 under the Project tab to get ROM_ and MAP_ prefixed functions to resolve correctly, but it was not necessary in my case.

Stellaris Launchpad as simple logic analyzer

Given the clock speed of Stellaris Launchpad, it's fairly fast enough for snapping signals. With a bit of proper synchronization, can be used as a logic analyzer with short memory (alternatively direct download link for the tar.gz). In the comments towards the end, there is a version that uses more than 16 kB RAM, meaning longer time interval can be sampled.

The code turns Stellaris into SUMP-protocol compatible device, you can use OLS Logic Sniffer client to read from it. Any time a GPIO value on PORTB[0..7] changes, the capture starts. Note: PB0 and PB1 are limited to 3.6 V! All other pins of PORTB are 5 V tolerant.

First flash the sllogiclogger.bin image onto Stellaris you'll use for measurement. Then copy over the config file ols.profile-SLLogicLogger.cfg from sllogiclogger tarball to ols-0.9.6.1/plugins directory (or whatever your version of OLS is).

Sample showing sllogiclogger for debugging ATSHA204 single-wire communication. One Stellaris controls the ATSHA204, the other Stellaris serves as sllogiclogger. PB6 and PB7 are used to read from, as the OLS screen shows.

You might want to change the line ols.profile-SLLogicLogger.cfg containing device.samplerates to make your measurement more precise. Since sllogiclogger uses raw for() cycle without interrupts and DMA, the actual sampling frequency highly depends on compiler and flags used when you compile the sllogiclogger.

For instance, I didn't need 10 MHz, I was okay with 1 MHz but longer captute. So after some measurements I've found out that using 1236000 Hz for device.samplerates and changing sllogiclogger.c divider SYSCTL_SYSDIV_27 in ROM_SysCtlClockSet call, it measures fairly accurately when it's compiled with -O2 flag with the recommended toolchain mentioned above.

Open Bench Logic Sniffer with OLS client

First of all, it is absolely substantial to flash both FPGA and PIC firmware of Open Bench sniffer to make it work reliably with OLS client - see updates. Otherwise the triggers may not work reliably. Note that the flashing new FPGA/PIC firmware may not work the first time, try multiple attempts (also, Linux OLS updater depends on old libusb shared libraries). Links for quickstart and using triggers:

OpenOCD config file

(Sorry I had to put it here zipped as it couldn't be uploaded as .cfg and neither put as file/code into the page - it was impossible to escape)

Putting it together

The “load” command was not working correctly for me, so I had to use the flasher utility to flash the OS image (./client/flasher /dev/ttyACM0 ./armsrc/obj/osimage.elf). Alternatively it's possible to use the J-link JTAG to flash image (see below).

As usual, run openocd first:

openocd -f proxmark3-jlink.cfg

Then GDB in another terminal - arm-none-eabi-gdb armsrc/obj/fullimage.elf. It's recommended that you recompile code with debugging symbols enabled. In gdb shell, connect to gdb server and try a breakpoint on some simple function:

When you run proxmark client (./client/proxmark3 /dev/ttyACM0), give it hw version command. GDB should now break at the SendVersion breakpoint you've set before.

Example: Unbricking (restoring) Proxmark bootloader

When bootloader gets overwritten into unusable state, this method can be used to overwrite flash sectors with fresh correct bootloader. The config file below is very similar to the one used for code debugging (I guess that one could work too, not sure about the memory map enabling).

The code halts processor, erases bootloader sectors, then writes bootloader from /path/to/booloader.elf. After power cycling the bootloader should be working if the elf file is correct.

J-link connected to Proxmark

Flyswatter connected to Proxmark

Flyswatter needs TDI pin connected, otherwise it won't work. SWD protocol seems not to work with Flyswatter. You can use board config from above section with:

openocd -f interface/ftdi/flyswatter.cfg -f board/proxmark3-jlink.cfg

Flyswatter debugging Proxmark

FTDI C232HM-DDHSL-0 cable

The FTDI C232HM-DDHSL-0 cable( datasheet) is a handy portable cable that combines UART, JTAG, I2C and SPI. UART works out-of-the-box, SPI and I2C are supported through libmpsse. JTAG is supported in OpenOCD, use this config (save it as interface/ftdi/c232hm.cfg under scripts). It's actually the same hardware as Digilent SMT2 JTAG.

The only strange this is that the FTDI cable is missing nSRST signal, so you can't reset the processor via monitor reset halt. Connecting nSRST to GPIO pin and using nSRST in config as noted above will allow you to reset via monitor reset halt.

UrJTAG

UrJTAG doesn't have named driver for this, but you can use Flyswatter, JTAGkey, Signalyzer or Turtelizer2 explicitly specifying USB PID, e.g.: